There’s just a year to go before the General Data Protection Regulation (GDPR) becomes fully enforceable. Are you ready?
Compliance with the GDPR has become a major priority for SMBs since the European Union (EU) parliament finally agreed to use it as the replacement for the existing data protection directive. The new regulation harmonises data protection laws for consumers in the EU and applies to all businesses that collect data from them, regardless of where those businesses are located.
You can read a summary of the GDPR and what it means for SMBs here.
In this article, we’ll show you four effective ways to prepare your business for the GDPR. With fines for noncompliance reaching as €20 million (or four per cent of annual turnover) you simply cannot afford to be complacent. Nor can you assume that Brexit means no GDPR – current government announcements suggest that it will be carried into British law even after the UK leaves the EU, according to Eversheds, a law firm.
The GDPR comes into force on 25 May 2018 so this is the time to be proactive and start taking steps to get your business ready:
1. Assemble your GDPR compliance team
Achieving GDPR compliance isn’t a job for one person. You need a team of people who can help you plan, implement and be accountable for your compliance efforts. The size of this team will depend on the size of your business, but consider engaging:
- Your IT partner. An IT partner can review your overall security posture and GDPR readiness, as well as help you develop a compliant IT security policy.
- Leadership or management. It’s important to involve your business’s leadership team in the compliance project. They can push your compliance agenda and communicate any changes to the rest of your staff.
The important thing here is that you have a dedicated team who can drive, document and be accountable for compliance. Under the GDPR, accountability and proof of compliance are essential for every business; don’t skip this crucial step.
2. Review your current IT security policy and data handling procedures
Compliance with the previous data protection directive does not automatically mean that you’re compliant with the GDPR. This is why it’s important to review your current security setup, your IT security policy and other data handling policies and procedures.
This is a process of discovery. The goal is to gather enough information to give you a clear understanding of how your business currently collects, uses and stores personal data. Here are some questions you can ask yourself to get the process started:
- What kind or type of personal data do we collect? How is it being used, and to whom is it being disclosed or transferred?
- Do we store any personal data? If so, is it stored on-premises, in the cloud or both?
- How do we backup our data? Do we have a business continuity plan?
- Do we have the ability to track and erase personal data from our systems?
Be aware that the GDPR gives consumers the right to ask companies to share and/or erase their personal data upon request. This is why you need to know what kind of data you hold, and you need to be confident in your ability to trace, disclose and erase it as requested. Take the time to review your current data handling and IT security procedures, and enlist an IT partner to help you in the process.
The GDPR is all about privacy by design. What does this mean? It means embedding privacy protections into every aspect of your business and your interactions with customers, and it extends to all your products, services and processes. It’s about building privacy controls into everything you do, rather than tacking them on as an afterthought.
- what personal information is being requested or collected from consumers;
- the specific purpose of that information (i.e. why you’re collecting it); and
- details regarding the transfer, retention and disclosure of the information.
4. Develop a data breach notification plan
Under the GDPR, businesses have 72 hours to inform customers about data breaches that have compromised their personal information.
That’s a tight timeline to work with, and the last thing you want to be doing in the wake of a data breach is risking non-compliance by failing to notify customers. This is where a breach notification plan becomes useful.
Your data breach notification plan doesn’t have to be complicated. All it needs to do is:
- State who is responsible for reporting and documenting a breach when it’s discovered;
- Outline the process for notifying customers of a data breach. This includes who will send the notifications and the method of communication.
Consider putting together some draft breach notification letters or emails that you can send to customers, regulators and other authorities. Careful planning of this kind will save your skin in those crucial 72 hours following a breach because it will enable you to focus on other important things, like mitigating the breach and preventing additional data loss, instead of scrambling to write notifications!
This is just the beginning
May 2018 seems like a long way off, but it’s not. You need to start preparing your business for the GDPR today.
These four things are just some of the actions you can take to prepare your business for the GDPR. In reality, this is just of the tip of the iceberg; there is so much more you can and should do.
If you’re not sure where to start, review the GDPR and get an IT partner to help you understand and implement the controls and processes you need to achieve compliance. Remember: achieving GDPR compliance is not one person’s job. It’s always easier to get by with a little help from your friends.